Sample viewer

vx.netlux.org/Trojan.DOS.QHA.f

GIF

Syscalls:

Time	Syscall Op	Syscall Name
2018-12-17T23:16:01.308584965Z	48	PC: 17da0 \| Get DOS version
2018-12-17T23:16:01.310322395Z	74	PC: 17df0 \| Reallocate memory
2018-12-17T23:16:01.311874264Z	48	PC: 17a2c \| Get DOS version
2018-12-17T23:16:01.312859094Z	53	PC: 17a34 \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:16:01.31475513Z	37	PC: 17a46 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:16:01.315880693Z	68	PC: 17ad7 \| I/O control for devices (Set for = '>u��')
2018-12-17T23:16:01.317265422Z	68	PC: 17ad7 \| I/O control for devices
2018-12-17T23:16:01.319017168Z	68	PC: 17ad7 \| I/O control for devices
2018-12-17T23:16:01.320226756Z	68	PC: 17ad7 \| I/O control for devices
2018-12-17T23:16:01.321525036Z	68	PC: 17ad7 \| I/O control for devices
2018-12-17T23:16:01.323628331Z	53	PC: 1597e \| Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:16:01.324733463Z	53	PC: 1598b \| Get interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T23:16:01.325800898Z	53	PC: 15998 \| Get interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:16:01.327460905Z	37	PC: 159ad \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:16:01.328466062Z	37	PC: 159b5 \| Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T23:16:01.329398726Z	37	PC: 159bd \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:16:01.330930731Z	53	PC: 15ef6 \| Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:16:01.331931258Z	53	PC: 15f03 \| Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:16:01.332916657Z	53	PC: 15f12 \| Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T23:16:01.334380335Z	37	PC: 15f1f \| Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:16:01.335335203Z	53	PC: 15f26 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:16:01.336863955Z	37	PC: 15f33 \| Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:16:01.350703599Z	53	PC: 15f3f \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T23:16:01.354730242Z	48	PC: 16001 \| Get DOS version
2018-12-17T23:16:01.35589188Z	74	PC: 16deb \| Reallocate memory
2018-12-17T23:16:01.357950588Z	74	PC: 16deb \| Reallocate memory
2018-12-17T23:16:01.359218462Z	68	PC: 158f4 \| I/O control for devices (Set for = '��"+,:;<=>[]\|')
2018-12-17T23:16:01.360417843Z	68	PC: 158f4 \| I/O control for devices (Set for = '')
2018-12-17T23:16:01.362343039Z	51	PC: 15912 \| Get or set Ctrl-Break
2018-12-17T23:16:01.363048827Z	51	PC: 1591e \| Get or set Ctrl-Break
2018-12-17T23:16:01.365537292Z	61	PC: 13176 \| Open file (Filename = 'C:\WINDOWS\SYSTEM\QHA.PRT')
2018-12-17T23:16:01.376329496Z	60	PC: 1303b \| Create or truncate file
2018-12-17T23:16:01.722156078Z	62	PC: 145f1 \| Close file
2018-12-17T23:16:01.724696542Z	61	PC: 13176 \| Open file (Filename = 'C:\WINDOWS\SYSTEM\QHA.PRT')
2018-12-17T23:16:01.732832678Z	68	PC: 130cf \| I/O control for devices (Set for = 'R> �)�)j75'�7�7�7�'Z��"+,:;<=>[]\|')
2018-12-17T23:16:01.735625051Z	66	PC: 14393 \| Move file pointer
2018-12-17T23:16:01.738070672Z	63	PC: 145ba \| Read file or device (Read 50 bytes on handle 5)
2018-12-17T23:16:01.741391097Z	62	PC: 145f1 \| Close file
2018-12-17T23:16:01.743588163Z	25	PC: 12c49 \| Get default drive
2018-12-17T23:16:01.744546763Z	13	PC: 12c4e \| Disk reset
2018-12-17T23:16:01.746400813Z	14	PC: 12c55 \| Set default drive (Drive = 'A')
2018-12-17T23:16:01.749212926Z	74	PC: 16deb \| Reallocate memory
2018-12-17T23:16:01.750891194Z	51	PC: 15929 \| Get or set Ctrl-Break
2018-12-17T23:16:01.753008923Z	37	PC: 15bab \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:16:01.754494397Z	37	PC: 15bb5 \| Set interrupt vector (Interrupt = '4' AKA 'Auxiliary output')
2018-12-17T23:16:01.755924992Z	37	PC: 15bbf \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:16:01.765512389Z	53	PC: 14686 \| Get interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:16:01.766794011Z	53	PC: 14693 \| Get interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T23:16:01.768007446Z	53	PC: 146a0 \| Get interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T23:16:01.769730559Z	37	PC: 146bb \| Set interrupt vector (Interrupt = '28' AKA 'Get allocation info for specified drive')
2018-12-17T23:16:01.770934233Z	53	PC: 146c3 \| Get interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:16:01.771995277Z	37	PC: 146d0 \| Set interrupt vector (Interrupt = '9' AKA 'Display string')
2018-12-17T23:16:01.773649182Z	53	PC: 146d7 \| Get interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:16:01.774738896Z	37	PC: 146e4 \| Set interrupt vector (Interrupt = '8' AKA 'Console input without echo')
2018-12-17T23:16:01.775730685Z	37	PC: 146ee \| Set interrupt vector (Interrupt = '239' AKA 'UNKNOWN!')
2018-12-17T23:16:01.7777624Z	37	PC: 146f9 \| Set interrupt vector (Interrupt = '240' AKA 'UNKNOWN!')
2018-12-17T23:16:01.778931646Z	37	PC: 17b88 \| Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T23:16:01.782855818Z	41	PC: 17921 \| Parse filename
2018-12-17T23:16:01.784943891Z	41	PC: 17923 \| Parse filename
2018-12-17T23:16:01.787845385Z	41	PC: 17928 \| Parse filename
2018-12-17T23:16:01.78939971Z	75	PC: 1793e \| Execute program
2018-12-17T23:16:01.811427084Z	80	PC: 1ac99 \| Set current PSP
2018-12-17T23:16:01.812533892Z	48	PC: 1ac9e \| Get DOS version
2018-12-17T23:16:01.813904373Z	99	PC: 21480 \| Get DBCS lead byte table pointer
2018-12-17T23:16:01.816751291Z	101	PC: 1ad24 \| Get extended country info
2018-12-17T23:16:01.818280329Z	99	PC: 1ad2a \| Get DBCS lead byte table pointer
2018-12-17T23:16:01.819731095Z	74	PC: 1ad8c \| Reallocate memory
2018-12-17T23:16:01.821768157Z	25	PC: 1adc3 \| Get default drive
2018-12-17T23:16:01.822745742Z	37	PC: 1a883 \| Set interrupt vector (Interrupt = '34' AKA 'Random write')
2018-12-17T23:16:01.823702527Z	37	PC: 1a88a \| Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T23:16:01.82547511Z	37	PC: 1a891 \| Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T23:16:01.82976054Z	74	PC: 19a2c \| Reallocate memory
2018-12-17T23:16:01.831361189Z	72	PC: 19a6d \| Allocate memory
2018-12-17T23:16:01.833693638Z	72	PC: 19aa5 \| Allocate memory
2018-12-17T23:16:01.835301204Z	72	PC: 19aad \| Allocate memory